I’ve written a new Varnish 3.0 VMOD called ipcast.
It has a single function; ipcast.clientip(ipstring) which sets the internal Varnish variable client.ip to whatever IPv4/IPv6 address you give as the argument.
You need this if you want to do ACL checks on connections done through a load balancer or SSL terminator. In those cases client.ip would be 127.0.0.1 and you get the real client’s IP address in the X-Forwarded-For (or similar) header.
You can find it here:
https://github.com/lkarsten/libvmod-ipcast
Here is some example VCL to illustrate how it works. I think the regex needs some work, suggestions/pull requests are welcome.
import ipcast;
acl friendly_network {
"192.0.2.0"/24;
}
sub vcl_recv {
if (req.http.X-Forwarded-For !~ ",") {
set req.http.xff = req.http.X-Forwarded-For;
} else {
set req.http.xff = regsub(req.http.X-Forwarded-For,
"^[^,]+.?.?(.*)$", "\1");
}
if (ipcast.clientip(req.http.xff) != 0) {
error 400 "Bad request";
}
if (client.ip !~ friendly_network) {
error 403 "Forbidden";
}
}
Blog of Lasse Karstensen 